1. Field of the Invention
This invention relates generally to IT networks and, more particularly, to tracking user IT activity during a logon session, including device accesses and any account switches.
2. Description of the Background Art
Computer networks of companies, government agencies, institutions, and other entities are frequently under attack from hackers. Known systems require administrators to build queries against an IT database in order to determine security risks. For example, an administrator may run a query for user accounts in which a user tried to log in five times and failed. This approach requires the administrator to know the behavior patterns of attackers and predefine what is considered a risk.
A problem with this approach is that attackers' patterns vary and change, and, therefore, it is not always possible to know in advance what malicious behavior looks like. Also, attackers often impersonate a registered user in the network. Therefore, there is a need for a solution that can detect security risks for unknown attack patterns and that can detect attackers impersonating legitimate users of a network. There is particularly a need to be able to track user activity during a logon session, including tracking the user through account switches and device switches.